The dangerous ransomware group is targeting financial and insurance sectors using smishing and vishing against IT service desk administrators, cybersecurity teams, and other employees with top-level privileges.

Source: Photo Spirit via Shutterstock

One of the world's most dangerous ransomware groups has been applying its hallmark savvy social engineering to targeted, sophisticated phishing attacks against financial and insurance companies, aiming to steal high-level permissions to cloud-based environments to ultimately deliver ransomware.

Scattered Spider has been using SMS and voice phishing — or smishing and vishing, respectively — attacks to target target high-privileged accounts, such as those of IT service desk administrators and cybersecurity teams. Attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.

"Scattered Spider frequently uses phone-based social engineering techniques … to deceive and manipulate targets, mainly targeting IT service desks and identity administrators," EclecticIQ Threat Intelligence Analyst Arda Büyükkaya wrote in a recent analysis. "The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals."

The attacks are so well-crafted that they often prompt unsuspecting identity administrators in charge of cloud infrastructures to enter credentials for VMware Workspace ONE, an application management and identity access policy platform, so attackers can gain unauthorized access even to accounts protected by multifactor authentication (MFA), Büyükkaya said.

**Cloud Services, SaaS in the Crosshairs**

Other ways Scattered Spider gains persistent access to cloud enviroments is to purchase stolen credentials, execute SIM swaps, and use cloud-native tools. In fact, the threat group is leveraging legitimate features of cloud infrastructure to carry out its nefarious activities, making their operations increasingly difficult to detect and counter, Büyükkaya noted.

"The cybercriminal group abuses legitimate cloud tools such as Azure’s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection," he wrote.

The attacks observed by EclecticIQ targeted cloud-based services like Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well software as a service (SaaS) platforms such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE "by deploying phishing pages that closely mimic single sign-on (SSO) portals," Büyükkaya wrote. These pages are delivered via socially engineered attacks that appear highly convincing — so much so that they even can fool cloud security engineers.

**Spinning a Complex Attack Web**

Scattered Spider, known also by Octo Tempest, made a significant name for itself in the ransomware game rather quickly. The group arrived on the scene in 2022 armed with sophisticated social-engineering techniques, an aptitude for understanding the psychology of Western business minds, and a command of native English — all of which it used as part of its heavy artillery. The group soon became infamous for the massive ransomware attacks on Caesars Palace and MGM Entertainment about a year later.

Scattered Spider teamed with BlackCat/Alphv ransomware early on but became a ransomware-as-a-service (RaaS) affilitate of RansomHub and Qilin earlier this year, after BlackCat/Alphv unceremoniously went dark in March, leaving affiliates in the lurch.

Of late, Scattered Spider has had global law enforcement, including the FBI, hot on its trail, and UK officials recently arrested a 17-year-old from the town of Walsall, UK, in July for his connection to the group.

The attacks outlined by EclecticIQ are the result of analysis conducted between 2023 and the second quarter of 2024, so it's as yet unclear how active Scattered Spider has been since that arrest. However, the research sheds new light on the complex web of attacks the group is capable of spinning to leverage identity compromise to target cloud environments successfully, the researchers noted.

**Defense and Mitigation**

EclecticIQ developed a specific framework outlining the ransomware deployment life cycle to help defenders thwart attacks by detailing the techniques used by the threat actor to infiltrate, persist, and execute ransomware within cloud environments. The accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to success for Scattered Spider and other ransomware actors, according to Büyükkaya.

The company made a sweeping set of recommendations for organizations in terms of prevention, detection, and incident response that relate to but are not limited to: secure authentication; monitoring and alerts; hypervisor cloud resource security; firewall and network security; and other key and varied aspects that comprise an enterprise cloud environment.

Other recommendations made specifically focused on Scattered Spider's tendency to use phishing as its key method for initial access, advising organizations to regularly monitor for typosquatting domains. This includes their own organization’s legitimate domains, especially those targeting their own cloud environments.

"Proactively secure these domains to prevent phishing attacks and social engineering tactics," Büyükkaya advised.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Socially Savvy Scattered Spider Traps Cloud Admins in Web

PRESS RELEASE

DELRAY BEACH, Fla., Sept. 10, 2024 /PRNewswire/ -- The global Security Testing Market size is projected to grow from USD 14.5 billionin 2024 to USD 43.9 billion by 2029 at a Compound Annual Growth Rate (CAGR) of 24.7% during the forecast period, according to a new report by MarketsandMarkets™.

One of the key factors promoting the security testing will be the increasing incidence of cyberattacks that target the software's vulnerabilities. However, the organizations, being in the digitalized world are getting more and more dependent on the digital applications that require the identification of the system's security risks and their resolution before the potential exploitation of such risks by the attackers which is becoming the new crucial practice. This rising concern pushes organizations to adopt the security testing process in order to guard their systems, data, and reputation from the possible breaches.

Request Sample Pages@ https://www.marketsandmarkets.com/requestsampleNew.asp?id=150407261

Based on the application testing tools, SAST accounts for the highest market size during the forecast period.

The adoption of Static Application Security Testing (SAST) tools is increasing as organizations prioritize secure software development. SAST tools enable developers to identify and fix security vulnerabilities early in the coding process, reducing the risk of security flaws in production. This shift is driven by the growing emphasis on integrating security into the software development lifecycle (SDLC) and the need to comply with stringent security standards. As a result, more companies are adopting SAST tools to enhance code security, improve development efficiency, and ensure that applications are robust against cyber threats from the outset.

By Application security testing type, web application security testing accounts for the highest market size during the forecast period.

The adoption of web application security testing is growing as organizations increasingly rely on web-based platforms for business operations and customer interactions. With the rise in cyber threats targeting web applications, such as SQL injection and cross-site scripting (XSS), companies are prioritizing security testing to identify and mitigate vulnerabilities before they can be exploited. This proactive approach is driven by the need to protect sensitive data, ensure compliance with regulations, and maintain customer trust in an environment where web applications are a critical part of the business landscape.

Inquire Before Buying@ https://www.marketsandmarkets.com/Enquiry\_Before\_BuyingNew.asp?id=150407261

By Region, Asia Pacific will grow at the highest CAGR during the forecast period.

The adoption of security testing services in the Asia Pacific region is rapidly increasing due to the region's expanding digital economy and the rising threat of cyberattacks. As businesses in Asia-Pacific embrace digital transformation and cloud computing, the need to identify and address vulnerabilities in their systems has become crucial. Regulatory pressures and growing awareness of cybersecurity risks are also driving organizations to invest in security testing solutions to ensure the resilience of their IT infrastructure and protect sensitive data from breaches. This trend is further fueled by the region's diverse and complex threat landscape, prompting a proactive approach to cybersecurity.

Top Key Companies in Security Testing Market:

IBM (US), HCLTech (India), Synopsys (US), OpenText (UK), Cigniti (US), Qualitest (UK), Intertek (UK), DXC Technology (US), eInfochips (US), Checkmarx (US), HackerOne (US), Invicti (US), DataArt (US), Cobalt Labs (US), Trustwave (US), Contrast Security (US), Veracode (US), Qualys (US), OffSec (US), NCC Group (UK), GitHub (US), Bugcrowd (US), Applause (US), Rapid7 (US), Parasoft (US), BreachLock (US), ImmuniWeb (Switzerland), Pentest People (UK), SafeAeon (US), and REDTEAM.PL (Poland) are the key players and other players in the Security Testing Market.

Browse Adjacent Market: Information Security Market Research Reports & Consulting

Browse Other Reports:

Blockchain Security Market - Global Forecast to 2029

IoT Security Market - Global Forecast to 2029

Exposure Management Market\- Global Forecast to 2029

Next-Generation Firewall Market\- Global Forecast to 2028

Digital Signature Market\- Global Forecast to 2028

Get access to the latest updates on Security Testing Companies and Security Testing Industry

About MarketsandMarkets™ 

MarketsandMarkets™ has been recognized as one of America's best management consulting firms by Forbes, as per their recent report.

MarketsandMarkets™ is a blue ocean alternative in growth consulting and program management, leveraging a man-machine offering to drive supernormal growth for progressive organizations in the B2B space. We have the widest lens on emerging technologies, making us proficient in co-creating supernormal growth for clients.

Earlier this year, we made a formal transformation into one of America's best management consulting firms as per a survey conducted by Forbes.

The B2B economy is witnessing the emergence of $25 trillion of new revenue streams that are substituting existing revenue streams in this decade alone. We work with clients on growth programs, helping them monetize this $25 trillion opportunity through our service lines - TAM Expansion, Go-to-Market (GTM) Strategy to Execution, Market Share Gain, Account Enablement, and Thought Leadership Marketing.

Built on the 'GIVE Growth' principle, we work with several Forbes Global 2000 B2B companies - helping them stay relevant in a disruptive ecosystem. Our insights and strategies are molded by our industry experts, cutting-edge AI-powered Market Intelligence Cloud, and years of research. The KnowledgeStore™ (our Market Intelligence Cloud) integrates our research, facilitates an analysis of interconnections through a set of applications, helping clients look at the entire ecosystem and understand the revenue shifts happening in their industry.

To find out more, visit www.MarketsandMarkets™.com or follow us on Twitter, LinkedIn and Facebook.

Security Testing Market Worth $43.9B by 2029

PRESS RELEASE

REDDING, Calif., Sept. 10, 2024 /PRNewswire/ -- According to a new market research report titled, 'SCADA Market by Type (Monolithic SCADA Systems, Distributed SCADA Systems, Networked SCADA Systems), Component (Hardware, Software, Services), Deployment Mode, End-use Industry (Oil & Gas, Automotive, F&B)—Global Forecast to 2031.

The rising adoption of automated technologies across Europe and Asia-Pacific, the advent of Industry 5.0, the growing demand for smart and digitized production processes, and the increasing emphasis on industrial automation are key factors driving the growth of SCADA. However, the high initial investment requirements for SCADA implementation are restraining the growth of this market.

Furthermore, the growing adoption of wireless sensor networks and the proliferation of smart factories are expected to generate growth opportunities for the players operating in this market. However, the risk of cyberattacks is a major challenge impacting market growth. Furthermore, the rising adoption of Industry 4.0 technologies and the increasing reliance on Human-Machine Interface (HMI) systems are prominent trends in the SCADA market.

Advent of Industry 5.0 Boosting the Demand for Scada Systems 

Industry 5.0, also known as the Fifth Industrial Revolution, is a new and emerging phase of industrialization that builds upon the principles of Industry 4.0 but emphasizes the human touch and the integration of human skills with advanced technologies. Industry 4.0 focused on technologies such as the Internet of Things and big data, whereas Industry 5.0 seeks to involve human, environmental, and social aspects.

As Industry 5.0 promotes enhanced collaboration between humans and machines, there is an increasing demand for sophisticated automation and control systems capable of effectively bridging the gap between these elements. SCADA systems facilitate real-time monitoring and control of industrial processes, playing an important role in enabling seamless interactions between humans and machines. They offer the necessary infrastructure for incorporating human input and feedback into automated workflows, thereby optimizing performance and efficiency. With Industry 5.0 driving the adoption of advanced technologies, the requirement for comprehensive monitoring and control solutions to ensure seamless integration and coordination is growing. SCADA systems have significantly improved the reliability and capability of automation. Centralized SCADA systems are increasingly utilized for decision-making in hazardous situations to prevent accidents in complex infrastructure. These systems oversee and manage entire sites, support informed decision-making, enhance efficiency, and minimize downtime. The advantages provided by SCADA systems, coupled with the escalating need to maintain the integrity and reliability of critical infrastructure, are driving market growth.

Governments are actively supporting industrial automation and digitalization initiatives. For example, in January 2021, the President of Spain introduced three new plans for SMEs (2021-2025)—the Connectivity Plan, the Strategy to Promote 5G Plan, and the National Strategy for Artificial Intelligence. These plans are part of the Spain 2025 Digital Agenda and aim to advance the development and deployment of SCADA systems across various industries. By enhancing capabilities and driving digital transformation, these initiatives are increasing demand for SCADA systems and contributing to market growth.

SCADA Market Analysis: Key Segmental Findings

*   By Type: In 2024, the networked SCADA systems segment is expected to account for the largest share of 47.5% of the SCADA market. Moreover, this segment is projected to register the highest CAGR of 8.2% during the forecast period from 2024 to 2031.
    
*   By Component: In 2024, the hardware segment is expected to account for the largest share of 55.9% of the SCADA market. However, the software segment is estimated to record the highest CAGR during the forecast period from 2024 to 2031.
    
*   By Deployment Mode: In 2024, the on-premise deployments segment is expected to account for the dominant share of the SCADA market. However, the cloud-based deployments segment is anticipated to register the highest CAGR of 10.5% during the forecast period from 2024 to 2031.
    
*   By End-use Industry: In 2024, the manufacturing segment is expected to account for the major share of 26.4% of the SCADA market. However, the automotive segment is slated to record the highest CAGR of 10.7% during the forecast period from 2024 to 2031.
    

Get A Glimpse Inside: Request Sample Pages \- https://www.meticulousresearch.com/request-sample-report/cp\_id=5186

Geographic Analysis:

By geography, the SCADA market is segmented into North America, Europe, Asia-Pacific, Latin America, and the Middle East & Africa. In 2024, North America is estimated to account for the largest share of 32.1% of the SCADA market. The North America SCADA market is expected to reach $5,488.3 million by 2031.

The industrial sector has seen extensive implementation of automation systems, especially in North America. Manufacturers in this region are increasingly deploying advanced automation technologies in their operations. North American countries are competing with their Asian and European counterparts to position themselves as key manufacturing centers, with the goal of lowering costs related to importing goods. The high labor costs in the U.S. are a primary impetus for the adoption of process control systems, such as SCADA (Supervisory Control and Data Acquisition), MES (Manufacturing Execution System), and DCS (Distributed Control System). These systems are instrumental in reducing the need for human oversight and management of automation processes.

Key market players are focusing on developing SCADA solutions with advanced features tailored for various industrial applications, including oil & gas, power, utilities, automotive, electronics, and F&B. For example, in October 2022, Emerson Electric Co. (U.S.) introduced Movicon.NExT 4.2, an advanced automation platform designed for seamless integration with field devices and enterprise systems. This software provides the data and insights necessary for achieving operational excellence across diverse applications in discrete and hybrid manufacturing sectors, including F&B, packaged consumer goods, energy, infrastructure, building automation, and machine automation.

Furthermore, in October 2022, AtomTech (U.S.) expanded its North American presence by launching AtomTech Canada. This move addresses the growing demand for automation, cybersecurity, SCADA, and IIoT 4.0 solutions across industries such as automotive, medical equipment, and warehouse logistics. Such developments support the growth of the SCADA market in the region during the forecast period.

Have specific research needs? Request a customized research report:- https://www.meticulousresearch.com/request-customization/cp\_id=5186

Asia-Pacific: The Fastest-growing Regional Market

The SCADA market in Asia-Pacific is poised to register the highest CAGR during the forecast period. In 2024, China is expected to account for the major share of the SCADA market in Asia-Pacific. Asia-Pacific generates significant growth opportunities for the adoption of industrial process control solutions, given its extensive and diverse manufacturing sector. Traditionally, manual or semi-automatic control processes have characterized industrial production in the region. However, advanced automation solutions are becoming essential for achieving the flexibility required in high-volume production lines, thereby enhancing overall operational efficiency.

Asia-Pacific is a prominent manufacturing hub across multiple sectors, including automotive, electronics, consumer goods, pharmaceuticals, and more. This manufacturing prominence is a significant driver of automation technology adoption in the region. SCADA solutions are increasingly being adopted in countries such as China, Japan, South Korea, and India, driven by efforts to modernize manufacturing facilities and the need for SCADA software to interface with Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), and Human-Machine Interface (HMI) components. The focus on improving process efficiencies and reducing production costs further fuels market growth, enabling operators to analyze and make decisions from remote locations.

The rapid advancement of automation and artificial intelligence (AI) is having a profound impact on economies in the APAC region. Asiais expected to be the fastest-growing automation market, driven by factors such as population growth, urbanization, economic development, rising wages, and decreasing costs associated with automated industrial technologies. The increasing awareness of advanced industrial control solutions, including SCADA systems for comprehensive manufacturing process monitoring, is a key driver of this market growth.

The U.K. Continues to Dominate the SCADA Market in Europe

In 2024, the U.K. is expected to account for the largest share of the SCADA market in Europe. Several factors are driving the adoption of industrial control systems in the U.K., including the expansion of the manufacturing industry, stringent manufacturing and industrial safety regulations, increased diversity in consumer products, growing awareness of automated systems, and rising labor costs. Many enterprises and industries in the U.K. are increasingly adopting automated machines and control solutions to enhance operational process monitoring. Key sectors such as oil & gas, power, automotive, F&B, electronics, and semiconductors are leading the way in implementing industrial control systems. In response to the evolving needs of these industries, market players are actively developing advanced SCADA solutions. For example, in September 2020, Severn Trent plc (U.K.) invested USD 6.4 million to upgrade its SCADA monitoring and management systems to a cloud-based platform.

SCADA Market: Competition Analysis

This report offers a competitive analysis based on an extensive assessment of the leading players' product portfolios, geographic presence, and key growth strategies adopted over the past three to four years. Major companies in the SCADA market have implemented various strategies to expand their product offerings and global footprints and augment their market shares. The key strategies followed by most companies in the SCADA market were product launches & enhancements, acquisitions, expansion, partnerships, agreements, and collaborations. The key market players operating in the SCADA market include Rockwell Automation, Inc. (U.S.), Siemens AG (Germany), Eaton Corporation plc (Ireland), Schneider Electric SE (France), ABB Ltd (Switzerland), Yokogawa Electric Corporation (Japan), General Electric Company (U.S.), Emerson Electric Co. (U.S.), Honeywell International, Inc. (U.S.), Mitsubishi Electric Corporation (Japan), OMRON Corporation (Japan), Pilz GmbH & Co. KG (Germany), Survalent Technology Corporation (Canada), Valmet (Finland), and Hitachi, Ltd. (Japan).

Browse In-Depth Report Now - https://www.meticulousresearch.com/product/scada-market-5186

SCADA Industry Overview: Latest Developments from Key Industry Players

*   In June 2023, Siemens AG introduced the SICAM 8 power automation platform, which includes two new software solutions: the SICAM HMI (Human Machine Interface) visualization tool and the SICAM S8000 software solution for power automation. This platform is part of the Siemens Xcelerator portfolio, an open digital platform designed to help customers accelerate their digital transformation at scale.
    
*   In April 2023, Siemens AG partnered with Gujarat Metro Rail Corporation Limited (GMRCL) (India) to advance rail electrification technologies. Siemens Limited will deliver project management services and cutting-edge rail electrification technologies, including advanced power supply and distribution systems. Additionally, Siemens Limited will provide sophisticated digital solutions, such as Supervisory Control and Data Acquisition (SCADA) systems, for both metro projects.
    
*   In March 2023, Rockwell Automation launched FactoryTalk Optix, a new addition to the company's visualization portfolio. FactoryTalk Optix is a modern, cloud-enabled human-machine interface (HMI) platform that allows users to design, test, and deploy applications directly from a web browser remotely, in real time.
    
*   In February 2023, ABB launched the ABB Ability Symphony Plus distributed control system that delivers seamless and secure access to an extended digital ecosystem for power generation and water industries. It increases performance and enables plant-wide digitalization, offering a noninvasive modernization of the installed base.
    
*   In October 2022, Emerson released a new version of its DeltaV distributed control system (DCS). Version 15 helps plants digitally transform operations through improved production optimization and enhanced operator performance.
    
*   In April 2022, ABB partnered with Ramboll (Denmark) to explore new opportunities in offshore substations. ABB will leverage its expertise in the design and supply of electrical, SCADA, automation, and telecommunications equipment. This includes engineering, products, installation, commissioning, and operational maintenance of these systems.
    
*   In January 2022, Schneider Electric entered into an agreement with AVEVA, a leading technology company. This collaboration was designed to further AVEVA's digital and sustainability objectives. Schneider Electric's extensive reach and profound market expertise will support AVEVA in sustaining, expanding, and enhancing its leadership in the industrial automation software and SCADA sectors across the Pacific region.
    
*   In April 2021, Mitsubishi Electric updated its SCADA lineup with GENESIS64, introducing two new software products for system monitoring and process control. This new software suite replaced the MC Works64 SCADA software, which was designed for monitoring small production lines and managing multi-site monitoring.
    
*   In January 2021, Rockwell Automation acquired Fiix Inc. (Canada), an AI-enabled computerized maintenance management system (CMMS) company. This acquisition bolsters Rockwell Automation's software strategy and strengthens its Lifecycle Services business. The addition of Fiix enhances the company's ability to offer a comprehensive range of industrial automation services, aimed at maximizing the value of customers' production assets, systems, plants, and processes.

SCADA Market Is Set to Reach $18.7B by 2031

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America.

Thursday, September 12, 2024 14:00

I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again.  

That’s because the White House announced a new initiative last week for the U.S. government called the “Service for America” initiative designed to train new workers in the cybersecurity field. This measure directs U.S. federal agencies to help recruit and prepare Americans for jobs in cybersecurity and AI by removing certain degree requirements and emphasizing skills-based hiring. This means, hopefully, more educational resources for people looking to break into cybersecurity. 

On its face, I’m all in favor of this. I did eventually go back to school to get my associate's degree in cybersecurity, but much of what I’ve learned about this field has been from working at Talos and spending time around my talented and intelligent colleagues, many of whom did not go to college for cybersecurity.  

The U.S. government also has separate initiatives to support neurodivergent candidates who want to work in security, as well as those who are blind and visually impaired. 

My concern is that, even if we do train these employees and give them the proper skills, it’s on companies to eventually hire them.  

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America. Yet hiring in the industry has remained flat, according to a soon-to-be-released report from cybersecurity non-profit ISC2. This year, the global security workforce is estimated to be 5.5 million, which is only a 0.1 percent increase year over year, according to the report. 

Among the more than 15,000 cybersecurity practitioners from around the globe who responded to the study, 38 percent of respondents said their organizations had experienced a cybersecurity hiring freeze over the past year, up 8 percent from 2023. Thirty-seven percent of respondents reported budget cuts to the security program, and another 25 percent said their teams had experienced layoffs.  

That same CyberSeek report also found that, in the U.S., the amount of cybersecurity-related job postings decreased by 29 percent year-over-year. 

So as these skills gap-closing programs begin, we need to be thinking about what skills, exactly, managers want their workers to be trained in. There is obviously some sort of disconnect here between the people who want to work in security compared to the companies or managers who want to hire them. Or there just simply isn’t enough money to go around right now to handle staffing up cybersecurity teams, and that’s just the reality of the current economy in the U.S. and globally.  

I’m not saying this to discourage anyone from entering the security space or spread doom and gloom. But I do think it’s important to acknowledge that there are many already skilled and trained workers who simply cannot find work or are treading water throwing dozens of applications at the wall to see what sticks. 

I’ve seen too many people posting on LinkedIn recently looking for a cybersecurity job to think that the solution to bolstering security is getting \*another\* worker in with the same skillset to compete for the same job opening as someone who’s been in the industry for 10 years. 

**The one big thing **

Talos recently uncovered a new threat called “DragonRank” that primarily targets countries in Asia — and a few in Europe — operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation. DragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. Their PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH) mechanism ensures that the legitimate file can load the PlugX without raising suspicion. 

**Why do I care? **

This group compromises Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users. DragonRank engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company's online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. The actor then takes these compromised websites and promotes them, effectively turning these sites into platforms for scam operations. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malware used in these attacks. Talos has confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a diverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this campaign, so it’s clearly still active and potentially growing. 

**Top security headlines of the week **

**A new type of attack called “RAMBO” could allow adversaries to steal data over air-gapped networks with RAM radio signals.** An Israeli academic researcher recently announced the discovery of RAMBO (Radiation of Air-gapped Memory Bus for Offense), in which an attacker could generate electromagnetic radiation from a device’s RAM to send data from air-gapped computers. Air-gapped systems are otherwise offline networks that are extremely isolated, often used in critical environments like government agencies, weapons systems and nuclear power stations. While RAMBO does not pose a threat for any hacker with access to the internet, it could open the door for insider threats with access to the network to deploy malware through physical media like USB drives or supply chain attacks. RAMBO could allow attackers to seal encoded files, encryption keys, images, keystrokes and biometric information from these systems at a rate of 1,000 bits per second. Researchers conducted tests into these types of attacks over distances of up to 23 feet. A technical paper published on the topic includes several potential mitigations, including RAM jamming, external EM jamming and Faraday enclosures around potentially targeted systems. (Bleeping Computer, SecurityWeek) 

**Commercial spyware makers are still finding ways to bypass government sanctions and, in some cases, have made their tools harder to detect.** A new report from the Atlantic Council found that “Most available evidence suggests that spyware sales are a present reality and likely to continue.” The report specifically highlights increased activity from Intellexa and the NSO Group, two companies known for creating and selling spyware tools that have been targeted over the past few years by international sanctions. These companies, and specifically Intellexa, have found ways to work around sanctions by restructuring their businesses with subsidiaries, partners and other relationships spread across multiple geographic areas. Intellexa is known for creating the Predator spyware, while the NSO Group is infamous for the Pegasus spyware. Both pieces of software often target high-risk individuals, sometimes by governments, such as journalists, politicians and activists. Security researchers also recently found that Intellexa has established new infrastructure in the Democratic Republic of the Congo and Angola, making “it more difficult for researchers and cybersecurity defenders to track the spread of Predator.” (Dark Reading, The Register) 

**Several Western intelligence agencies have formally charged the Russian GRU for carrying out cyber attacks against Ukraine designed to disrupt aid efforts.** Government agencies in the U.S., U.K. and several other countries blamed Unit 29155, which has been linked to past espionage campaigns, with targeting government and civilian agencies and civil society organizations in Western Europe, the EU and NATO after Russia invaded Ukraine in 2022. Intelligence agencies in the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada and Australia all signed the declaration. They also formally blamed Unit 29155 for the WhisperGate campaign, a coordinated attack on Ukrainian government agencies in January 2022 that seemed to set the stage for a physical ground invasion. The announcement stated that WhisperGate has since been used to “scout and disrupt” aid deliveries to Ukraine. When Talos first reported on WhisperGate in 2022, our researchers stated that “attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.” (Reuters, BBC) 

**Can’t get enough Talos? **

*   The 2024 Threat Landscape State of Play 
*   Vulnerability in Tencent WeChat custom browser could lead to remote code execution 
*   Watch our new documentary, "The Light We Keep: A Project PowerUp Story" 
*   Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API 
*   Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos  

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd

We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders

Meta has admitted to scraping Australian Facebook user's public photos, posts and other data to train its AI models, including those of kids on adult profiles.

Facebook has admitted that it scrapes the public photos, posts and other data from the accounts of Australian adult users to train its AI models. Unlike citizens of the European Union (EU), Australians are not offered an opt-out option to refuse consent.

At an inquiry as to whether the social media giant was hoovering up the data of all Australians in order to build its generative artificial intelligence tools, senator Tony Sheldon asked whether Meta (Facebook’s owner) had used Australian posts from as far back as 2007 to feed its AI products.

At first Meta’s global privacy director Melinda Claybaugh denied this but senator David Shoebridge challenged her claim.

> “The truth of the matter is that unless you have consciously set those posts to private since 2007, Meta has just decided that you will scrape all of the photos and all of the texts from every public post on Instagram or Facebook since 2007, unless there was a conscious decision to set them on private. That’s the reality, isn’t it?”

Claybaugh said yes, but she added that accounts of people under 18 were not scraped. However, when Senator Sheldon asked Claybaugh whether public photos of his children on his own account would be scraped, Claybaugh acknowledged they would.

When asked whether the company scraped data from previous years of users who were now adults, but were under 18 when they created their accounts, the question remained unanswered.

It is not new that Meta uses public Facebook and Instagram posts to train its AI, and Meta is not the only social media platform that does this. European privacy watchdogs accused X of unlawfully using personal data of 60 million+ users to train its AI Grok as well.

In June, the EU’s Data Protection Commission (DPC) reached an agreement with Meta to pause its plans to train its large language model using public content shared by adults on Facebook and Instagram across the EU. This decision followed intensive engagement between the DPC and Meta.

Australia recently revealed plans to set a minimum age limit for children to use social media, citing concerns around mental and physical health.

Prime Minister Anthony Albanese said his government would run an age verification trial before introducing age minimum laws for social media this year. The Prime Minister didn’t specify an age but said it would likely be between 14 and 16.

The reasoning behind the age limit had nothing to do with data scraping. He stated:

> “I want to see kids off their devices and onto the footy fields and the swimming pools and the tennis courts. … We want them to have real experiences with real people because we know that social media is causing social harm.”

But nevertheless, the scraping could be a factor when the final decision about the age limit comes around.

**What to do**

Wherever you are in the world, we encourage you to think carefully about sharing photos of your kids online. Of course it’s lovely to post their photos for your friends and family to see, but once something is posted online you lose control about where that image is, and who has access to it.

If you really do want to share photos, lock your profile down as much as possible and keep your photos away from just anyone.

If you’re an adult and worried about image scraping, check the terms and conditions for accounts and see if you can opt-out. If there’s no option, carefully consider whether you want to post to that service at all.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Facebook scrapes photos of kids from Australian user profiles to train its AI 

We dug into PartnerLeak, the site behind the "your partner is cheating on you" emails, including how and where the scammers get their information.

Earlier this week, we reported on a new type of scam that tells you your partner is cheating on you. However, we hit a dead end because we were unable to get hold of an original copy of the email.

That was until the scammers were “kind enough” to send one to one of our co-workers.

your partner is cheating on you and we have proof

> “Hi (target’s name\],
> 
> \[Partner’s name\] is cheating on you. Here is proof.
> 
> As a company engaged in cyber security we’ve found information related to \[partner’s name\] that might interest you.
> 
> We made a full backup of \[his/her\] disk. (We have all \[his/her\] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all \[his/her\] contacts) and are willing to give you a full access to this data. For more details visit our website.”

With this, we were able to investigate the scammers’ intentions.

All three of the links in the email (Here, website, and Check now) point to the same website. Through a landing page located at click\[.\]cardfoolops\[.\]com visitors are redirected to partnerleak\[.\]com.

The partnerleak\[.\]com domain was registered on August 1, 2024, with NameCheap anonymously. Anonymous registration doesn’t automatically mean the person registering is up to no good, but it did block us from researching this avenue any further.

The registration date, however, matches with the first complaints we started seeing about these emails.

Malwarebytes blocks partnerleak\[.\]com

During the redirection process, your email address is passed on, which means when you register at the site your email address is already filled out.

Email address is transmitted and pre-filled

The PartnerLeak site itself says it offers anonymity, as well as “crucial insights” into the behaviour of the one you love.

> “completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior.”

> “**Are You Concerned About Your Partner’s Honesty?**
> 
> If you’ve decided to take a leap into a relationship but find yourself questioning your partner’s honesty, or if you’ve been together for a while and something feels off, we have a solution for you.
> 
> **Our Service**
> 
> Our completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior. Here’s how it works:
> 
> Data Backup Access: You can download a backup from iCloud or Google, which includes:
> 
> *   Device location tracking
> *   Movement history with timestamps
> *   Correspondence from popular messaging apps like Telegram, WhatsApp, and iMessage
> *   Photo and video materials stored on the smartphone
> 
> Social Media Analysis: Utilizing AI and extensive data, our service can:
> 
> *   Check user registration and analyze behavior on platforms like Facebook and Twitter
> *   Investigate activity on popular dating apps such as Tinder, AdultFriendFinder, Hinge, and OkCupid
> 
> This comprehensive analysis helps you verify the reliability of your potential partner based on criteria that matter most to you.
> 
> **Commitment to Anonymity and Privacy**
> 
> *   Anonymous Transactions: We prioritize your anonymity by processing payments through cryptocurrencies, ensuring that your partner will remain unaware of your inquiries.
> *   Data Privacy: Your privacy is of utmost importance. We offer the option to permanently delete any data related to you from our system.
> 
> Take control of your relationship concerns today with our discreet and effective service!”

Nowhere on the site does it specify how much such an investigation would cost, but after registration you can start a search at which point it will tell you to top up your balance.

You don’t have free search. Please top up balance or try use different email.

To top up your balance there are three payment options:

*   Credit card
*   Bitcoin
*   Ethereum

We checked the balances on the cryptocurrency accounts they provided and we are happy to report that those are both dead in the water. We can only hope that the PartnerLeak revenue from credit cards looks the same, although that is probably wishful thinking on our part.

An empty and inactive Bitcoin wallet

An equally empty Ethereum account

Our investigation into where the scammers were getting the necessary information always pointed in the same direction: The Knot, a wedding services company.

However, we couldn’t find any breaches of its site or any tangible evidence that it was anything more than just a source of information. Like many other similar sites, it is easy to find a partner name on the site if you already have the name and email of the other partner.

But since many victims, including our co-worker, used The Knot’s services, we contacted them and received this statement from a spokesperson:

> “We were notified of user concerns, and after investigation by our cybersecurity team, determined there is no evidence of unauthorized access to our systems.”

Regardless of where the scammers are getting their data, let’s keep their balance at zero and spread the word.

**How to react to your partner “is cheating on you” emails**

First and foremost, never reply to emails of this kind. That tells the sender that someone is reading the emails sent to that address, and will lead to them trying other ways to defraud you.

*   If the email includes a password, make sure you are not using it any more _on any account_. If you are, change it as soon as possible.
*   If you are having trouble remembering all your passwords, have a look at a password manager.
*   Don’t let yourself get rushed into doing something. Scammers rely on time pressure that leads to people making quick decisions.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious, or even appears to be your own.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 PartnerLeak scam site promises victims full access to &#8220;cheating&#8221; partner&#8217;s stolen data 

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against…

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against domain fraud, brand impersonation, and online Ponzi schemes to prevent losses.

Cybercriminals and nation-state hackers are increasingly targeting retail affiliate programs to conduct cryptocurrency scams, according to the latest research by cybersecurity firm DomainTools.

With its vast economic footprint and consumer brand loyalty, the retail sector has become a prime target for these malicious actors, exploiting online platforms and brand reputations to deceive consumers and reap financial rewards.

**Leveraging Brand Loyalty for Fraud**

The global retail industry—valued at over $30 trillion annually and with the top 50 retailers contributing more than $1.13 trillion in revenue in 2023—has always been a lucrative target for scammers and fraudsters. However, the transition toward e-commerce has opened up new opportunities for cybercriminals to exploit.

The DomainTools detailed technical report, shared with Hackread.com ahead of publishing, dives deep into how threat actors use domain fraud, brand impersonation, and multi-level Ponzi schemes to deceive consumers and steal cryptocurrency.

Cybercriminals are not just after financial gains; they are also damaging brand reputations. By closely imitating well-known consumer brands, these actors aim to exploit the trust and loyalty consumers have for these companies. This multi-layered fraud not only affects individual consumers but also threatens the credibility of the brands themselves.

**Online Storefronts: A Hotspot for Fraud**

One noteworthy trend underlined in the report is the rise of **e-commerce domain fraud**. As physical stores closed during the global pandemic, the retail sector’s move to online platforms created another ground for cybercriminals.

One group of threat actors, for instance, set up hundreds of fraudulent websites to impersonate well-known global retailers. These sites often promised huge discounts through fake “store closing” sales, luring unsuspecting consumers into the trap.

DomainTools traced thousands of such fraudulent domains, some of which impersonated luxury brands like Rolex and Cartier. The scammers created these fake websites using templates, automated processes, and even legitimate e-commerce platforms to generate convincing landing pages. The scale of the operation is staggering, with over 2,300 fraudulent domains tied to just one SSL certificate alone.

**Ponzi Schemes Disguised as Affiliate Programs**

The report also uncovers a disturbing trend: the use of brand impersonation to conduct financial fraud. Cybercriminals are preying on individuals looking for side-income opportunities by promising commissions for completing simple tasks, such as boosting online sales for well-known brands like Amazon and Target. Victims are led to believe they are joining legitimate affiliate programs when, in reality, they are being lured into Ponzi schemes.

These scams often require victims to invest in cryptocurrency, such as USDT (Tether), with the promise of high returns. The fraudsters then push victims to recruit others, creating a multi-level marketing front.

In one case, a fraudulent website using the domain “amazon-9000com” mimicked Amazon’s platform to convince users to invest in these fake opportunities. This particular scheme was linked to over 200 other fraudulent domains impersonating major brands, including Lazada, Walmart, and TikTok.

Example of malicious domains impersonating top brands (Screenshot: DomainTools)

**Copycat Scams Spread Quickly**

The third major finding in the report is the proliferation of **copycat schemes**. Once a scam proves successful, it is quickly replicated by other cyber criminals. For example, a domain called “targetpk8top” appeared in late 2023, impersonating Target in much the same way as earlier scams targeted Amazon. The same templates, naming conventions, and SSL certificates were used, showing how quickly these tactics spread across the cybercriminal ecosystem.

These copycat scams often follow a familiar playbook: they use fake investment schemes, promise high cryptocurrency returns, and rely on social media platforms to find new victims. By the time consumers realize they’ve been duped, the scammers have often disappeared, leaving little chance of recovering lost funds.

**What’s Next for Retailers?**

The report urges the retail sector to remain vigilant. These scams have been ongoing since at least 2020, and the perpetrators show no signs of slowing down. Retailers must monitor their online presence closely, especially regarding domain registrations and brand impersonations.

Additionally, collaboration is key. Organizations like the **Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC)** and the **National Cyber-Forensics and Training Alliance (NCFTA)** are instrumental in sharing threat intelligence across the industry, helping retailers stay one step ahead of evolving cyber threats.

Although such scams are not new, their increased sophistication is only making it worse for unsuspecting customers and retailers. Therefore, both parties should recognize the threat posed by domain fraud and brand impersonation. Businesses should train their employees, and customers should learn how to identify scams or malicious websites.

1.  How to Increase Your Business’s Online Brand Awareness
2.  Memcyco Introduces Real-Time Solution to Combat Brandjacking
3.  Check Point Research: Microsoft the Most Phished Brand in Q2 2023
4.  Domain Squatting, rand Hijacking: A Silent Threat to Digital Enterprises
5.  42,000 phishing domains discovered masquerading as popular brands

From Amazon to Target: Hackers Mimic Top Brands in Global Crypto Scam

Cato CTRL (Cyber Threats Research Lab) has released its Q2 2024 Cato CTRL SASE Threat Report. The report highlights critical findings based on the analysis of a staggering 1.38 trillion network flows from more than 2,500 of Cato’s global customers, between April and June 2024.
Key Insights from the Q2 2024 Cato CTRL SASE Threat Report
The report is packed with unique insights that are based on

Threat Intelligence / Cybercrime

Cato CTRL (Cyber Threats Research Lab) has released its Q2 2024 Cato CTRL SASE Threat Report. The report highlights critical findings based on the analysis of a staggering 1.38 trillion network flows from more than 2,500 of Cato's global customers, between April and June 2024.

**Key Insights from the Q2 2024 Cato CTRL SASE Threat Report**

The report is packed with unique insights that are based on thorough data analysis of network flows. The top three insights for enterprises are as follows.

**1) IntelBroker: A Persistent Threat Actor in the Cyber Underground**

During an in-depth investigation into hacking communities and the dark web, Cato CTRL identified a notorious threat actor known as IntelBroker. IntelBroker is a prominent figure and moderator within the BreachForums hacking community and has been actively involved in the sale of data and source code from major organizations. These include AMD, Apple, Facebook, KrypC, Microsoft, Space-Eyes, T-Mobile and the US Army Aviation and Missile Command.

**2) 66% of Brand Spoofing Focuses on Amazon**

Cybersquatting is the spoofing and exploitation of a brand's domain name to profit from its registered trademark. The report finds that Amazon was the most frequently spoofed brand, with 66% of such domains targeting the retail giant. Google followed, albeit at a distant second, with 7%.

**3) Log4j _Still_ Being Exploited**

Despite being discovered in 2021, the Log4j vulnerability remains a favored tool among threat actors. From Q1 to Q2 2024, Cato CTRL recorded a 61% increase in attempted Log4j exploits in inbound traffic and a 79% rise in WANbound traffic. Similarly, the Oracle WebLogic vulnerability, first identified in 2020, saw a 114% increase in exploitation attempts within WANbound traffic over the same period.

**Security Recommendations**

Based on the findings of the report, Cato CTRL advises organizations to adopt the following best practices:

1.  Regularly monitor dark web forums and marketplaces for any mention of your company's data or credentials being sold.
2.  Employ tools and techniques to detect and mitigate phishing and other attacks that leverage cybersquatting.
3.  Establish a proactive patching schedule focused on critical vulnerabilities, particularly those actively targeted by threat actors, such as Log4j.
4.  Create a step-by-step plan for responding to a data breach.
5.  Adopt an "assume breach" mentality with methods like ZTNA, XDR, pen testing and more.
6.  Develop an AI governance strategy.

Read additional recommendations with more details in the report.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Top 3 Threat Report Insights for Q2 2024

Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig.
The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis.
OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug,

Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called **OilRig**.

The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis.

OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS).

Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver a variety of custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft.

The latest campaign is no exception in that it involves the use of a new set of malware families dubbed Veaty and Spearal, which come with capabilities to execute PowerShell commands and harvest files of interest.

"The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol, and a tailor-made email based C2 channel," Check Point said.

"The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim's networks."

Some of the actions that the threat actor took in executing the attack, and following it, were consistent with tactics, techniques, and procedures (TTPs) that OilRig has employed when carrying out similar operations in the past.

This includes the use of email-based C2 channels, specifically leveraging previously compromised email mailboxes to issue commands and exfiltrate data. This modus operandi has been common to several backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.

The attack chain is kicked off via deceptive files masquerading as benign documents ("Avamer.pdf.exe" or "IraqiDoc.docx.rar") that, when launched, pave the way for the deployment of Veaty and Spearal. The infection pathway is likely said to have involved an element of social engineering.

The files initiate the execution of intermediate PowerShell or Pyinstaller scripts that, in turn, drop the malware executables and their XML-based configuration files, which include information about the C2 server.

"The Spearal malware is a .NET backdoor that utilizes DNS tunneling for \[C2\] communication," Check Point said. "The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme."

Spearal is designed to execute PowerShell commands, read file contents and send it in the form of Base32-encoded data, and retrieve data from the C2 server and write it to a file on the system.

Also written .NET, Veaty leverages emails for C2 communications with the end goal of downloading files and executing commands via specific mailboxes belonging to the gov-iq.net domain. The commands allow it to upload/download files and run PowerShell scripts.

Check Point said its analysis of the threat actor infrastructure led to the discovery of a different XML configuration file that's likely associated with a third SSH tunneling backdoor.

It further identified an HTTP-based backdoor, CacheHttp.dll, that targets Microsoft's Internet Information Services (IIS) servers and examines incoming web requests for "OnGlobalPreBeginRequest" events and executes commands when they occur.

"The execution process begins by checking if the Cookie header is present in incoming HTTP requests and reads until the; sign," Check Point said. "The main parameter is F=0/1 which indicates whether the backdoor initializes its command configuration (F=1) or runs the commands based on this configuration (F=0)."

The malicious IIS module, which represents an evolution of a malware classified as Group 2 by ESET in August 2021 and another APT34 IIS backdoor codenamed RGDoor, supports command execution and file read/write operations.

"This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region," the company said.

"The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack

The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users.
"The statutory inquiry concerns the question of whether Google has complied

Regulatory Compliance / Data Protection

The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users.

"The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake an assessment, pursuant to Article 35\[2\] of the General Data Protection Regulation (Data Protection Impact Assessment), prior to engaging in the processing of the personal data of E.U./E.E.A. data subjects associated with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2)," the DPC said.

PaLM 2 is Google's state-of-the-art language model with improved multilingual, reasoning, and coding capabilities. It was unveiled by the company in May 2023.

With Google's European headquarters based in Dublin, the DPC acts as the primary regulator responsible for making sure the company abides by the bloc's stringent data privacy rulebook.

The DPC said an inquiry is crucial to ensure that individuals' fundamental rights and freedoms are safeguarded, especially when processing of such data when developing AI systems can lead to a "high risk."

The development comes weeks after social media platform X permanently agreed not to train its AI chatbot, Grok, using the personal data it collected from European users without obtaining prior consent. Back in August, the DPC said X consented to suspend its "processing of the personal data contained in the public posts of X's E.U./E.E.A. users which it processed between 7 May 2024 and 1 August 2024."

Meta, which recently admitted to scraping every Australian adult Facebook user's public data to train its AI system, has paused its plans to use content posted by European users following a request from the DPC over privacy concerns. It has also suspended the use of generative AI (GenAI) in Brazil after the country's data protection authority issued a preliminary ban objecting to its new privacy policy.

Last year, Italy's data privacy regulator also temporarily banned OpenAI's ChatGPT because of concerns that its practices are in violation of data protection laws in the region.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel